Akamai Diversity

The Akamai Blog

DNSSEC Targeted in DNS Reflection, Amplification DDoS Attacks

By Bill Brenner, Akamai SIRT Senior Tech Writer

During the past few quarters, Akamai has observed and successfully mitigated a large number of DNS reflection and amplification DDoS attacks abusing Domain Name System Security Extension (DNSSEC) configured domains.

As with other DNS reflection attacks, malicious actors continue to use open DNS resolvers for their own purpose -- effectively using these resolvers as a shared botnet. This technique has also been linked to the DDoS-for-hire underground market.

The attacks are outlined in a new Security Bulletin written by Akamai SIRT, the full report can be downloaded at the following link: http://www.stateoftheinternet.com/dnssec-attacks.

DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for security certain information provided by DNS. It is essentially a set of extensions to DNS which provide origin authentication of DNS data, data integrity, and authentication denial of existence. These additional security controls are designed to protect the Internet against certain types of attacks. A list of all RFCs associated with DNSSEC can be found here: http://www.dnssec.net/rfc

To date Akamai has observed several domain names utilized for these attacks.  Although the domains listed in the bulletin have been used in these attacks, other domains can be utilized.  

Since the beginning of November 2015, Akamai has detected and mitigated more than 400 DNS reflection/amplification DDoS attacks using a variety of domain names implementing DNSSEC. DNSSEC prevents the manipulation of DNS record responses where a malicious actor could potentially send users to its own site. This extra security offered by DNSSEC comes at a price as attackers can leverage the larger domain sizes for DNS amplification attacks.

Here's a breakdown by Industry vertical of DDoS attacks mitigated against the DNSSEC reflection method between Q4 2015 - Q1 2016:


The highlighted domain has been observed in DDoS attacks against customers in multiple verticals over the same time period, and based on our investigations we believe these attacks are most likely the work of attackers making use of a DDoS-for-Hire service that uses purchased VPS services, public proxies, a classic botnet and basic attack types such as DNS reflection attacks, SYN floods, UDP floods, SSDP floods, NTP floods, ICMP floods and even HTTP GET floods.

The report goes into detail about individual attacks, including screenshots and other graphics, and outlines steps organizations can take to protect themselves.

The full Security Bulletin can be accessed at http://www.stateoftheinternet.com/dnssec-attacks